163 lines
4.3 KiB
Text
163 lines
4.3 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2020-2022 Mikhail Morfikov
|
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{lib}/{,fwupd/}fwupd
|
|
profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
|
|
include <abstractions/base>
|
|
include <abstractions/bus-system>
|
|
include <abstractions/bus/org.bluez>
|
|
include <abstractions/bus/org.freedesktop.ModemManager1>
|
|
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
|
include <abstractions/consoles>
|
|
include <abstractions/disks-write>
|
|
include <abstractions/fonts>
|
|
include <abstractions/nameservice-strict>
|
|
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability linux_immutable,
|
|
capability mknod,
|
|
capability net_admin,
|
|
capability sys_admin,
|
|
capability sys_nice,
|
|
capability sys_rawio,
|
|
capability syslog,
|
|
|
|
network inet dgram,
|
|
network inet stream,
|
|
network inet6 dgram,
|
|
network inet6 stream,
|
|
network netlink raw,
|
|
|
|
#aa:dbus own bus=system name=org.freedesktop.fwupd path=/
|
|
#aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd
|
|
#aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
|
|
#aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
|
|
|
|
dbus receive bus=system path=/
|
|
interface=org.freedesktop.DBus.ObjectManager
|
|
member=InterfacesAdded
|
|
peer=(name=@{busname}, label=bluetoothd),
|
|
|
|
@{exec_path} mr,
|
|
|
|
@{lib}/fwupd/fwupd-detect-cet rix,
|
|
|
|
@{bin}/gpg{,2} rCx -> gpg,
|
|
@{bin}/gpgconf rCx -> gpg,
|
|
@{bin}/gpgsm rCx -> gpg,
|
|
|
|
/usr/share/fwupd/{,**} r,
|
|
/usr/share/hwdata/* r,
|
|
/usr/share/libdrm/*.ids r,
|
|
/usr/share/mime/mime.cache r,
|
|
/usr/share/misc/*.ids r,
|
|
|
|
/etc/fwupd/{,**} rw,
|
|
/etc/lsb-release r,
|
|
/etc/pki/fwupd-metadata/{,**} r,
|
|
/etc/pki/fwupd/{,**} r,
|
|
|
|
/etc/machine-id r,
|
|
/var/lib/dbus/machine-id r,
|
|
|
|
@{efi}/{,**} r,
|
|
@{efi}/EFI/*/.goutputstream-@{rand6} rw,
|
|
@{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw,
|
|
@{efi}/EFI/*/fwupdx@{int}.efi rw,
|
|
@{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
|
|
|
|
@{MOUNTDIRS}/*/{,@{efi}/} r,
|
|
@{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r,
|
|
|
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
|
/var/tmp/etilqs_@{sqlhex} rw,
|
|
owner /var/cache/fwupd/ rw,
|
|
owner /var/cache/fwupd/** rwk,
|
|
owner /var/lib/fwupd/ rw,
|
|
owner /var/lib/fwupd/** rwk,
|
|
|
|
# In order to get to this file, the attach_disconnected flag has to be set
|
|
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
|
|
owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,
|
|
|
|
@{sys}/**/ r,
|
|
@{sys}/devices/** r,
|
|
|
|
@{sys}/**/uevent r,
|
|
@{sys}/firmware/acpi/** r,
|
|
@{sys}/firmware/dmi/tables/DMI r,
|
|
@{sys}/firmware/dmi/tables/smbios_entry_point r,
|
|
@{sys}/firmware/efi/** r,
|
|
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
|
|
@{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
|
|
@{sys}/firmware/efi/efivars/fwupd-* rw,
|
|
@{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
|
|
@{sys}/kernel/security/lockdown r,
|
|
@{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
|
|
@{sys}/power/mem_sleep r,
|
|
|
|
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
|
|
|
|
@{run}/motd.d/ r,
|
|
@{run}/motd.d/@{int}-fwupd* rw,
|
|
@{run}/motd.d/fwupd/{,**} rw,
|
|
@{run}/mount/utab r,
|
|
@{run}/udev/data/* r,
|
|
|
|
@{PROC}/@{pids}/fd/ r,
|
|
@{PROC}/@{pids}/mountinfo r,
|
|
@{PROC}/@{pids}/mounts r,
|
|
@{PROC}/1/cgroup r,
|
|
@{PROC}/cmdline r,
|
|
@{PROC}/modules r,
|
|
@{PROC}/swaps r,
|
|
@{PROC}/sys/kernel/tainted r,
|
|
|
|
/dev/bus/usb/ r,
|
|
/dev/bus/usb/@{int}/@{int} rw,
|
|
/dev/cpu/@{int}/msr rw,
|
|
/dev/dri/card@{int} rw,
|
|
/dev/drm_dp_aux@{int} rw,
|
|
/dev/gpiochip@{int} r,
|
|
/dev/hidraw@{int} rw,
|
|
/dev/ipmi@{int} rwk,
|
|
/dev/mei@{int} rw,
|
|
/dev/mem r,
|
|
/dev/mtd@{int} rw,
|
|
/dev/tpm@{int} rw,
|
|
/dev/tpmrm@{int} rw,
|
|
/dev/wmi/* r,
|
|
|
|
profile gpg flags=(attach_disconnected,complain) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice-strict>
|
|
|
|
capability dac_read_search,
|
|
|
|
@{bin}/gpg{,2} mr,
|
|
@{bin}/gpgconf mr,
|
|
@{bin}/gpgsm mr,
|
|
|
|
@{bin}/gpg-agent rix,
|
|
@{lib}/{,gnupg/}scdaemon rix,
|
|
|
|
owner /var/lib/fwupd/gnupg/ rw,
|
|
owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
|
|
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
|
|
|
include if exists <local/fwupd_gpg>
|
|
}
|
|
|
|
include if exists <local/fwupd>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|